Announcements from the MAG & Featured Articles

Card-Not-Present Merchants worry about fraud, but should be just as worried about false positives!

Merchants are walking a fine line: should they accept a sale that might be fraudulent, or should they turn down a sale that might be legitimate? That’s the $43 billion-dollar question.

According to Javelin in their August 2015 report “Future Proofing Card Authorization,” the total amount of revenue lost due to false declines (for both POS and CNP) dwarfs the amount lost due to fraud, $118B vs $9B. False positives are at least 13 times as costly to merchants and issuers as fraudulent chargebacks!

Javelin also reports that more than 33 million adults – 15% of all cardholders – had a transaction falsely declined due to suspected fraud in 2014.

In addition to the initial falsely declined transaction, cardholders reacted to the card that was declined. Nearly 40% of cardholders completely STOPPED using that card, and an additional 25% reduced their usage of the declined card – a total loss of revenue from 13.1 million cardholders, and a partial loss of revenue on an additional 8.3 million cardholders. That’s a lot of revenue lost by issuers and potentially lost when merchants insult their consumer and the consumer shops elsewhere.

Because of EMV, card authorization at point of sale will improve; but EMV does nothing for authentication and authorization of CNP transactions.

The false positive numbers for the CNP channel are staggering. Of that $118B lost to false positives in 2014, 37%, or $43B+, can be attributed to the CNP channel (which represents only 6.6% of total retail sales, according to eMarketer.

What’s a merchant to do? With a disproportionate percentage of false positives happening in the CNP channel, and cardholders reducing or completely abandoning use of declined cards, false positives are a much bigger problem than potential fraud.

Merchants are walking a fine line: should they accept a sale that might be fraudulent, or should they turn down a sale that might be legitimate? That’s the $43 billion-dollar question.

How do false positives occur? To understand how to lower your false positives, you first need to understand the mechanics of how false positives in the CNP channel happen in the first place.

The CNP channel is very different from POS, in that a merchant can verify the cardholder in person when they present the card at checkout and can compare the signature on the card with the signature on the receipt, vs a CNP transaction, where neither the merchant nor the consumer see each other in person or sign for the purchase, and the merchant has no idea if the person conducting the transaction has the actual card or really is the cardholder.

In a legitimate CNP transaction, (see below), a consumer enters a card number at the merchant’s website/shopping cart. The merchant can proceed in two ways: without Consumer Authentication or with Consumer Authentication. Let’s look at what happens at a high level.

From the shopping cart, the transaction (and card number, known in the payments industry as the PAN – the Primary Account Number) go to the payment gateway, which routes the transaction to the merchant’s acquiring bank and processor. The processor checks with the consumer’s issuing bank, which authorizes or declines the transaction. The issuing bank can be a risk-based bank, meaning they use the information they know about their cardholder – the device they usually transact with, their location, the merchants they buy from, their average transaction amounts, and more, to determine, behind the scenes, the risk of accepting that transaction. This all happens in milliseconds, so there is no delay in the consumer’s checkout experience. In this scenario, the merchant does not use Consumer Authentication, and if the bank’s risk rules indicate that this might be a fraudulent transaction and the transaction is declined, it results in a false positive, and both the merchant and the consumer are out of luck.

In this scenario, the merchant has no control over influencing whether that transaction is authorized or declined.

When a transaction is declined without Consumer Authentication, the consumer will be prompted for another form of payment, and they either use another card or abandon the merchant’s website altogether. The consumer is inconvenienced (and experiences friction – which is what the merchant wants to avoid during checkout), and both the merchant and the card issuer can lose out on this transaction – and possibly many future transactions. The Javelin study shows that 39% of consumers stop using the card that was declined completely, and 25% more reduce the times they use that card. The merchant can also lose that consumer to one of their competitors for this transaction and potentially future transactions.

When a merchant uses Consumer Authentication, the flow changes. Before the transaction goes to the gateway and issuer, the merchant/shopping cart first sends the transaction to Cardinal for Consumer Authentication. Cardinal’s rules engine, based on rules that the merchant has set up, determines whether the card and transaction can be authenticated behind the scenes, using information like device and IP, transaction amount, shipping address and up to three hundred data points that Cardinal collects. If the transaction is authenticated in this manner, the authentication codes accompany the transaction to the gateway, acquirer/processor, and issuer. The issuer, when seeing that the transaction has been authenticated, will authorize, even if there are factors that, without the authentication, would prompt them to decline the transaction. This is how Consumer Authentication reduces false positives. By giving the issuer confidence that the cardholder is who they say they are, the issuer will rarely decline an authenticated transaction (unless there are funds availability issues).

Benefits of Consumer Authentication There are many tangible benefits of Consumer Authentication that merchants will see.

As described above, with Consumer Authentication, false positives will be reduced, resulting in increased sales.

Merchants also have the opportunity to increase sales by selling in regions where 3-D Secure is mandated.

When a merchant uses Consumer Authentication, which includes the 3-D Secure protocols, he is eligible for liability shift, meaning the issuer takes responsibility for any fraudulent chargebacks on authenticated transactions.

The merchant may also be eligible for reduced interchange fees. When merchants authenticate CNP transactions, the acquiring bank often charges the merchant less in interchange.

Another benefit is less manual review. When CNP transactions are authenticated, manual review can be reduced up to 70%.

One of the most valuable benefits of Consumer Authentication is the difference in consumer experience. With Cardinal’s rules-based approach, which incorporates the 3-D Secure protocols, merchants have choice over which transactions are authenticated (and experience a challenge), and control over the checkout experience. Most transactions can be authenticated behind the scenes, with zero consumer friction. The transactions that trigger red flags and are challenged are more likely to be fraud, which merchants and issuers would not want authenticated or authorized anyway.